Chief information security officers (CISOs) today have replaced chief information officers (CIOs) as the most under-valued C-level executives. In fact, according to research from the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), nearly one-third (29 percent) of corporations today still do not have a CISO role or its equivalent. And for those that do have such a role, the CISO is often relegated to “glorified administrator” status, rather than strategic business enabler.
This is why CISOs are almost always fired or “resign” after major data breaches. When shareholders and customers demand blood following a breach, the CISO is the sacrificial lamb, even if there is no realistic way the CISO could have prevented the breach under the operating circumstances (which could include insufficient budget, headcount, and business visibility). This is often a self-defeating act, since the CISO is usually the most qualified person to manage post breach forensics, cleanup, and compliance audits.
In many ways, the plight of today’s CISO mimics that of CIOs in the 1990s. Back then, the CIO stereotype among business executives was “the…
